source: trunk/forum/includes/auth/auth_ldap.php

Last change on this file was 702, checked in by george, 15 years ago
  • Upraveno: Aktualizace fóra.
File size: 9.7 KB
Line 
1<?php
2/**
3*
4* LDAP auth plug-in for phpBB3
5*
6* Authentication plug-ins is largely down to Sergey Kanareykin, our thanks to him.
7*
8* @package login
9* @version $Id$
10* @copyright (c) 2005 phpBB Group
11* @license http://opensource.org/licenses/gpl-license.php GNU Public License
12*
13*/
14
15/**
16* @ignore
17*/
18if (!defined('IN_PHPBB'))
19{
20 exit;
21}
22
23/**
24* Connect to ldap server
25* Only allow changing authentication to ldap if we can connect to the ldap server
26* Called in acp_board while setting authentication plugins
27*/
28function init_ldap()
29{
30 global $config, $user;
31
32 if (!@extension_loaded('ldap'))
33 {
34 return $user->lang['LDAP_NO_LDAP_EXTENSION'];
35 }
36
37 $config['ldap_port'] = (int) $config['ldap_port'];
38 if ($config['ldap_port'])
39 {
40 $ldap = @ldap_connect($config['ldap_server'], $config['ldap_port']);
41 }
42 else
43 {
44 $ldap = @ldap_connect($config['ldap_server']);
45 }
46
47 if (!$ldap)
48 {
49 return $user->lang['LDAP_NO_SERVER_CONNECTION'];
50 }
51
52 @ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
53 @ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
54
55 if ($config['ldap_user'] || $config['ldap_password'])
56 {
57 if (!@ldap_bind($ldap, htmlspecialchars_decode($config['ldap_user']), htmlspecialchars_decode($config['ldap_password'])))
58 {
59 return $user->lang['LDAP_INCORRECT_USER_PASSWORD'];
60 }
61 }
62
63 // ldap_connect only checks whether the specified server is valid, so the connection might still fail
64 $search = @ldap_search(
65 $ldap,
66 htmlspecialchars_decode($config['ldap_base_dn']),
67 ldap_user_filter($user->data['username']),
68 (empty($config['ldap_email'])) ?
69 array(htmlspecialchars_decode($config['ldap_uid'])) :
70 array(htmlspecialchars_decode($config['ldap_uid']), htmlspecialchars_decode($config['ldap_email'])),
71 0,
72 1
73 );
74
75 if ($search === false)
76 {
77 return $user->lang['LDAP_NO_SERVER_CONNECTION'];
78 }
79
80 $result = @ldap_get_entries($ldap, $search);
81
82 @ldap_close($ldap);
83
84
85 if (!is_array($result) || sizeof($result) < 2)
86 {
87 return sprintf($user->lang['LDAP_NO_IDENTITY'], $user->data['username']);
88 }
89
90 if (!empty($config['ldap_email']) && !isset($result[0][htmlspecialchars_decode($config['ldap_email'])]))
91 {
92 return $user->lang['LDAP_NO_EMAIL'];
93 }
94
95 return false;
96}
97
98/**
99* Login function
100*/
101function login_ldap(&$username, &$password)
102{
103 global $db, $config, $user;
104
105 // do not allow empty password
106 if (!$password)
107 {
108 return array(
109 'status' => LOGIN_ERROR_PASSWORD,
110 'error_msg' => 'NO_PASSWORD_SUPPLIED',
111 'user_row' => array('user_id' => ANONYMOUS),
112 );
113 }
114
115 if (!$username)
116 {
117 return array(
118 'status' => LOGIN_ERROR_USERNAME,
119 'error_msg' => 'LOGIN_ERROR_USERNAME',
120 'user_row' => array('user_id' => ANONYMOUS),
121 );
122 }
123
124 if (!@extension_loaded('ldap'))
125 {
126 return array(
127 'status' => LOGIN_ERROR_EXTERNAL_AUTH,
128 'error_msg' => 'LDAP_NO_LDAP_EXTENSION',
129 'user_row' => array('user_id' => ANONYMOUS),
130 );
131 }
132
133 $config['ldap_port'] = (int) $config['ldap_port'];
134 if ($config['ldap_port'])
135 {
136 $ldap = @ldap_connect($config['ldap_server'], $config['ldap_port']);
137 }
138 else
139 {
140 $ldap = @ldap_connect($config['ldap_server']);
141 }
142
143 if (!$ldap)
144 {
145 return array(
146 'status' => LOGIN_ERROR_EXTERNAL_AUTH,
147 'error_msg' => 'LDAP_NO_SERVER_CONNECTION',
148 'user_row' => array('user_id' => ANONYMOUS),
149 );
150 }
151
152 @ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
153 @ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
154
155 if ($config['ldap_user'] || $config['ldap_password'])
156 {
157 if (!@ldap_bind($ldap, htmlspecialchars_decode($config['ldap_user']), htmlspecialchars_decode($config['ldap_password'])))
158 {
159 return $user->lang['LDAP_NO_SERVER_CONNECTION'];
160 }
161 }
162
163 $search = @ldap_search(
164 $ldap,
165 htmlspecialchars_decode($config['ldap_base_dn']),
166 ldap_user_filter($username),
167 (empty($config['ldap_email'])) ?
168 array(htmlspecialchars_decode($config['ldap_uid'])) :
169 array(htmlspecialchars_decode($config['ldap_uid']), htmlspecialchars_decode($config['ldap_email'])),
170 0,
171 1
172 );
173
174 $ldap_result = @ldap_get_entries($ldap, $search);
175
176 if (is_array($ldap_result) && sizeof($ldap_result) > 1)
177 {
178 if (@ldap_bind($ldap, $ldap_result[0]['dn'], htmlspecialchars_decode($password)))
179 {
180 @ldap_close($ldap);
181
182 $sql ='SELECT user_id, username, user_password, user_passchg, user_email, user_type
183 FROM ' . USERS_TABLE . "
184 WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'";
185 $result = $db->sql_query($sql);
186 $row = $db->sql_fetchrow($result);
187 $db->sql_freeresult($result);
188
189 if ($row)
190 {
191 unset($ldap_result);
192
193 // User inactive...
194 if ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE)
195 {
196 return array(
197 'status' => LOGIN_ERROR_ACTIVE,
198 'error_msg' => 'ACTIVE_ERROR',
199 'user_row' => $row,
200 );
201 }
202
203 // Successful login... set user_login_attempts to zero...
204 return array(
205 'status' => LOGIN_SUCCESS,
206 'error_msg' => false,
207 'user_row' => $row,
208 );
209 }
210 else
211 {
212 // retrieve default group id
213 $sql = 'SELECT group_id
214 FROM ' . GROUPS_TABLE . "
215 WHERE group_name = '" . $db->sql_escape('REGISTERED') . "'
216 AND group_type = " . GROUP_SPECIAL;
217 $result = $db->sql_query($sql);
218 $row = $db->sql_fetchrow($result);
219 $db->sql_freeresult($result);
220
221 if (!$row)
222 {
223 trigger_error('NO_GROUP');
224 }
225
226 // generate user account data
227 $ldap_user_row = array(
228 'username' => $username,
229 'user_password' => phpbb_hash($password),
230 'user_email' => (!empty($config['ldap_email'])) ? utf8_htmlspecialchars($ldap_result[0][htmlspecialchars_decode($config['ldap_email'])][0]) : '',
231 'group_id' => (int) $row['group_id'],
232 'user_type' => USER_NORMAL,
233 'user_ip' => $user->ip,
234 'user_new' => ($config['new_member_post_limit']) ? 1 : 0,
235 );
236
237 unset($ldap_result);
238
239 // this is the user's first login so create an empty profile
240 return array(
241 'status' => LOGIN_SUCCESS_CREATE_PROFILE,
242 'error_msg' => false,
243 'user_row' => $ldap_user_row,
244 );
245 }
246 }
247 else
248 {
249 unset($ldap_result);
250 @ldap_close($ldap);
251
252 // Give status about wrong password...
253 return array(
254 'status' => LOGIN_ERROR_PASSWORD,
255 'error_msg' => 'LOGIN_ERROR_PASSWORD',
256 'user_row' => array('user_id' => ANONYMOUS),
257 );
258 }
259 }
260
261 @ldap_close($ldap);
262
263 return array(
264 'status' => LOGIN_ERROR_USERNAME,
265 'error_msg' => 'LOGIN_ERROR_USERNAME',
266 'user_row' => array('user_id' => ANONYMOUS),
267 );
268}
269
270/**
271* Generates a filter string for ldap_search to find a user
272*
273* @param $username string Username identifying the searched user
274*
275* @return string A filter string for ldap_search
276*/
277function ldap_user_filter($username)
278{
279 global $config;
280
281 $filter = '(' . $config['ldap_uid'] . '=' . ldap_escape(htmlspecialchars_decode($username)) . ')';
282 if ($config['ldap_user_filter'])
283 {
284 $_filter = ($config['ldap_user_filter'][0] == '(' && substr($config['ldap_user_filter'], -1) == ')') ? $config['ldap_user_filter'] : "({$config['ldap_user_filter']})";
285 $filter = "(&{$filter}{$_filter})";
286 }
287 return $filter;
288}
289
290/**
291* Escapes an LDAP AttributeValue
292*/
293function ldap_escape($string)
294{
295 return str_replace(array('*', '\\', '(', ')'), array('\\*', '\\\\', '\\(', '\\)'), $string);
296}
297
298/**
299* This function is used to output any required fields in the authentication
300* admin panel. It also defines any required configuration table fields.
301*/
302function acp_ldap(&$new)
303{
304 global $user;
305
306 $tpl = '
307
308 <dl>
309 <dt><label for="ldap_server">' . $user->lang['LDAP_SERVER'] . ':</label><br /><span>' . $user->lang['LDAP_SERVER_EXPLAIN'] . '</span></dt>
310 <dd><input type="text" id="ldap_server" size="40" name="config[ldap_server]" value="' . $new['ldap_server'] . '" /></dd>
311 </dl>
312 <dl>
313 <dt><label for="ldap_port">' . $user->lang['LDAP_PORT'] . ':</label><br /><span>' . $user->lang['LDAP_PORT_EXPLAIN'] . '</span></dt>
314 <dd><input type="text" id="ldap_port" size="40" name="config[ldap_port]" value="' . $new['ldap_port'] . '" /></dd>
315 </dl>
316 <dl>
317 <dt><label for="ldap_dn">' . $user->lang['LDAP_DN'] . ':</label><br /><span>' . $user->lang['LDAP_DN_EXPLAIN'] . '</span></dt>
318 <dd><input type="text" id="ldap_dn" size="40" name="config[ldap_base_dn]" value="' . $new['ldap_base_dn'] . '" /></dd>
319 </dl>
320 <dl>
321 <dt><label for="ldap_uid">' . $user->lang['LDAP_UID'] . ':</label><br /><span>' . $user->lang['LDAP_UID_EXPLAIN'] . '</span></dt>
322 <dd><input type="text" id="ldap_uid" size="40" name="config[ldap_uid]" value="' . $new['ldap_uid'] . '" /></dd>
323 </dl>
324 <dl>
325 <dt><label for="ldap_user_filter">' . $user->lang['LDAP_USER_FILTER'] . ':</label><br /><span>' . $user->lang['LDAP_USER_FILTER_EXPLAIN'] . '</span></dt>
326 <dd><input type="text" id="ldap_user_filter" size="40" name="config[ldap_user_filter]" value="' . $new['ldap_user_filter'] . '" /></dd>
327 </dl>
328 <dl>
329 <dt><label for="ldap_email">' . $user->lang['LDAP_EMAIL'] . ':</label><br /><span>' . $user->lang['LDAP_EMAIL_EXPLAIN'] . '</span></dt>
330 <dd><input type="text" id="ldap_email" size="40" name="config[ldap_email]" value="' . $new['ldap_email'] . '" /></dd>
331 </dl>
332 <dl>
333 <dt><label for="ldap_user">' . $user->lang['LDAP_USER'] . ':</label><br /><span>' . $user->lang['LDAP_USER_EXPLAIN'] . '</span></dt>
334 <dd><input type="text" id="ldap_user" size="40" name="config[ldap_user]" value="' . $new['ldap_user'] . '" /></dd>
335 </dl>
336 <dl>
337 <dt><label for="ldap_password">' . $user->lang['LDAP_PASSWORD'] . ':</label><br /><span>' . $user->lang['LDAP_PASSWORD_EXPLAIN'] . '</span></dt>
338 <dd><input type="password" id="ldap_password" size="40" name="config[ldap_password]" value="' . $new['ldap_password'] . '" /></dd>
339 </dl>
340 ';
341
342 // These are fields required in the config table
343 return array(
344 'tpl' => $tpl,
345 'config' => array('ldap_server', 'ldap_port', 'ldap_base_dn', 'ldap_uid', 'ldap_user_filter', 'ldap_email', 'ldap_user', 'ldap_password')
346 );
347}
348
349?>
Note: See TracBrowser for help on using the repository browser.